Safeguarding New Tech: Navy CIO Robert Carey

Navy CIO Robert Carey was among the first federal CIOs to embrace blogging as a way to keep in touch with his various constituencies, including officers and sailors. Carey believes steps can be taken to embrace new technologies while maintaining security.

In this second of two parts of an exclusive interview, Carey discusses:

Securing the new Navy-Marine intranet to debut next year;

How the Navy employs social networking, though with some security restrictions; and

Plans to implement secure cloud computing as a way to exploit technical efficiencies.

Carey joined the Navy's Office of CIO in 2000, regularly being elevated from e-business team leader, to director of the Smart Card Office, to deputy CIO for policy and integration to CIO. Previously, Carey served in a variety of engineering and program management leadership positions within the Navy's acquisition community in the undersea warfare domain. A 1982 graduate of the University of South Carolina with a BS in engineering, Carey earned a master of engineering management degree from George Washington University in 1995. As an active member of the Naval Reserve, he holds the rank of commander in the Civil Engineer Corps, Carey was recalled to duty for Operation Desert Storm and more recently as part of a Marine expeditionary force in Iraq's Al Anbar province.

ERIC CHABROW: Hello, I'm Eric Chabrow of the Information Security Media Group. Welcome back to the second installment of our interview with Robert Carey. In part one; we discussed his role as co-chair of the Federal CIO Counsels Information Security and Identity Management Committee. Now we'll turn to Carey's current day job, chief information officer of the US Department of the Navy.

What are the biggest IT security challenges facing the Navy department and how are you addressing them?

ROBERT CAREY: They are actually very similar to what we're facing at the federal government layers. We try to reduce our footprint. We have a large IT footprint and we have lots of applications. We have approximately 750,000 folks who engage our network at one time or another; we are a very large place and we're trying to consolidate the footprint so that we can better defend it. We try to homogenize the security paradigms for each of the networks so that when we do patches for example, or when we have to do something that we require all to comply with, it can be done and it can be monitored more quickly. We, too, are working a cyber investment roadmap. We've invested a lot in many IT security products across defense in depth and breath in spectrum, but yet we still need to understand where we are going to spend money in FY '10, '11, '12, '13, '14 and then what do we get with for that money. We need to be able to associate an outcome, a level of surety to our investments, and I think that is something agencies across the federal government also need to work on.

We are working very hard to educate our senior executives and flag officers on IT at large. They don't have to be IT experts by any stretch, but as I have said several times and I think others have said, you know every person who engages in network to do their job becomes a cyberspace warrior because you present an opportunity for both being a defender and being a vulnerability at the same time. As we educate the workforce are at large and we raise the training of the network administration and things like and then we raise and education awareness of the executives of what they need to be mindful for in their part of the department, it affords us this opportunity to sort of go forward with knowledge and comply with things with some understanding, not complying with any understanding about what is expected of you.

Another big project that we have is obviously the replacement to the Navy Marine Corps Internet, and as we move forward, we had an industry day a week and half ago and several hundred companies show up and so we look forward to the opportunity to engage industry on that particular large project.

CHABROW: Let me just ask you about the replacement for the Navy Marine Intranet. Tell me about it in respect of its architecture and how security can be part of that.

CAREY: We have a security conops (concept of operation) and when we developed thought pieces and architectural components that we have derived from the Navy Marine Corps Internet itself and how we operate it and how we defend it and - this is what we call fight the network. And we intend to impart them on the next generation network and then move forward toward what we call our naval network environment 2016 vision, which is very succinctly stated, you know information access from any desktop in the department. When I say that I mean, I plug in my common access card, I type in my PIN, and I should be able to get my information securely from any desktop. There is a lot that has to be done to afford that architecturally, and there is a lot that has to be done to afford that outcome in the security space. We've rolled out cryptographic long-on across the department already, although we have some lazy networks that are not quite there yet. But we are working to do that. We are rolling out dated rest encryptions. These things become the fundamentals that are already in place when NGEN (next generation network) takes over. When the next generation network starts on 1 Oct. 2010, which the day before is the day MCI contract expires, we have a continuum of network capability.

CHABROW: You've been lauded for being among the first CIO's to initiate a departmental blog as well as advocating with Web2.0 technologies. Some people are concerned of the IT security and privacy information implications they technologies present. Is such apprehension valid and how would you allay their concerns?

CAREY: The Web2.0 tools present an opportunity to us to smartly implement them in the conduct of our day to day business. We have to be mindful of the fact that we are not the drivers of the Internet and not the drivers of communication capabilities that exist out there. We are consumers of them and need to take advantage of these waves of innovation that occur. We didn't invent RSS feeds, but we use them. We didn't invent blogging and we didn't invent any of the other technologies, but we are all using those as avenues to communicate and collaborate. As we hire and recruit millennial generation and ingest them into the Department of Navy, they are very comfortable and familiar with all of these tools to do personal business and work-related function.

I think the security sides of them really become evident on how much you engage the open Internet and types of information that you can put on these tools. Clearly, something that is, what we call control and classified information, CUI, is not something that is suitable for open Internet publications. Similarly, if I use these tools on our secret network, the SIPRNet (Secret Internet Protocol Router Network), it's fine. It is a self-contained network. We just have to be judicial about how we use the tools, but I encourage their use because I believe them to be productivity enhancers. I believe them to be mechanisms that can build trust across a department. These things like Facebook, the social networking tools, provide an ability to develop a relationship with someone you never knew. You never knew what they do, and so if you had a problem that you needed help with, you could reach out and tap a previously untapped resource to get an answer that is both better than you would have done yourself and faster than you would have been able to do yourself. All of these tools provide you know, sort of that nexus that perfect storm of moving us into the next space and the next space of efficiency and effectiveness of how we do our jobs. We have used wikis to develop policy in the department, because that is simply a document creation and editing feature of a wiki. Now we have learned two things. The older work force is not comfortable with using that technology and then the wiki sort of forces you to not, as I say, "edit in the margins." It forces you to write it like you want to see it, and I think again culturally some people are not used to being afforded the opportunity to sort of put their money where their mouth is and say something as if they want to read it that way. The Web2.0 tools present that opportunity to be very direct and very collaborative far more than we would have done if we didn't use them.

CHABROW: What kind of restrictions does the Navy have, if any, allowing sailors on ships to use Facebook and social networks like that?

CAREY: We have restrictions today on some of the social networking sites, and we are actually working through some of the restrictions on Facebook. We don't constrain anybody from using it in their personal lives, but we are trying to figure out, how does that type of a technology support the mission of the department? Now, our legal community, our Office of General Counsel, has a Facebook like application inside their legal network. We've already cracked the code on it provides value, but that is self-contained. It is in our own network. It doesn't engage the Internet, so that is why I say a Facebook-like application I believe provides great value. The security and privacy concerns of engaging the open Internet becomes a potential challenge based upon just the very nature of the work we do. You can imagine some of those capabilities could very well exist inside the confines of the Navy Marine Corps Intranet or the next generation network when we sort through how we want to use such an investment.

CHABROW: Is a sailor on a ship able to communicate with his spouse using Facebook or not?

CAREY: I think we would probably allow to them communicate via his network on the ship. I'll be honest with you, I'm not sure if I have Facebook capabilities afloat. I think Facebook is one of the apps that we allow right now. You can use the afloat networks; you can use Department of Navy networks for contacting your spouses. You can send e-mails to home. That is perfectly acceptable. Some people believe that you can't do that, and the answer is yes you can within the ethics guidelines that we have today.

CHABROW: Is the Navy involved in any cloud computing projects?

CAREY: Yes. We are studying the affects of cloud computing and then examining, for example, how do we take advantage of what we believe to be this next "boom" in computing as far as sufficiency, effectiveness and security. We have people at the Space Naval Warfare Systems Command examining this as well as the Office of Naval Research. We are looking at how do I do that, how do I take advantage of cloud computing given my existing legacy infrastructure, because it is not a simple decision and not a small investment to move into that space. But the Office of the Secretary Defense, the DOD, the CIO, as well as the other military departments, we are all looking at this opportunity very closely and trying to determine, how do I move into that space and what pace do I do it?

CHABROW: Are you looking at doing it within your own networks, or are you looking to take care, take advantage of the public math computing offerings?

CAREY: That is actually one of the questions. How do you take advantage of it given the type of information that we have? On first pass, I would say it would be within our own networks, but we are big enough to be our own cloud, if you would. The GIG, the global information grid of the DOD, is quite a large cloud onto itself. So the question is, how do I create the cloud and provide access to information from anywhere around the globe to sailors and marines while making sure that no one else can get to it? The obvious opportunity is to keep it inside at least the DOD. Now that being said, I have to produce facts to support that hypothesis.

CHABROW: Is technology playing a roll of, perhaps, uniting the service branches that may not have been there in the past?

CAREY: I think technology and information management play that under-pinning role to our ability to deliver war fighting capabilities or national security capabilities to the nation with that foundational element that is the backbone of what I call kinetic operations. When you see ships on the horizon, when you see tanks on the ground, they get there and they get their information, their commanders make their decisions obviously on a backbone of IT. While we are four separate services, the answer is yes. We openly share solutions. We are openly working on interoperable solutions that allow us to communicate more freely than we do today. When we go into conflicts, we have in essence seamless communications to afford our ability to most efficiently do our job.

CHABROW: Is some of the decision making in those situations more collaborative today than in the past among the branches?

CAREY: Very much so. We all possess certain skills, and we all possess the ability now to openly collaborate to get the best answer to any war fighting problem. I think that technologies of today intersecting with more advanced processes on how to collaborate are enabling us to do things better, faster, cheaper.

CHABROW: Well thanks for taking time to talk with me.

CAREY: Thanks Eric, take care.

CHABROW: That is Rob Carey, the Chief Information Officer of the United States Navy. I'm Eric Chabrow at Information Security Media Group, thanks for listening.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.